Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Supabase Hakke
v1.1.0Supabase integration for Hakke Studio projects. Auth, database, storage, edge functions. Use with vercel skill for full-stack deployment.
⭐ 0· 398·2 current·2 all-time
byBastian Berrios Alarcon@studio-hakke
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Supabase integration for Hakke) aligns with the commands and SQL in SKILL.md, but the metadata and instructions include surprising items: the metadata 'requires' lists 'vercel' which is reasonable, however the SKILL.md references an author-specific project path (/home/bastianberrios/...) and a hard-coded login email (contacto@hakke.cl). These author-specific artifacts are not justified by a generic Supabase integration and suggest the instructions are a direct dump of the maintainer's local workflow rather than a general-purpose skill.
Instruction Scope
The runtime instructions tell the agent to run CLI commands (supabase login, link, db push, functions deploy) and to place/expect env variables. They also reference a specific local path and instruct logging in with the author's OAuth account. The SKILL.md refers to sensitive keys (.env variables) and server-side operations (service_role key), but the skill declares no required env vars. The instructions therefore request access to secrets and local filesystem locations not declared in the skill metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code, so nothing is written to disk by the skill itself. That keeps install risk low.
Credentials
The SKILL.md shows and expects sensitive environment variables (NEXT_PUBLIC_SUPABASE_ANON_KEY and SUPABASE_SERVICE_ROLE_KEY) and suggests operations that require the service_role key (server-side/admin tasks). However, the skill metadata declares no required credentials or primary credential. The absence of declared env requirements while the instructions clearly use/require secrets is a proportionality mismatch and a red flag for accidental or deliberate omission.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system modifications. It does declare use of an exec tool (invoking shell commands), which is expected for a CLI-focused integration, but there is no evidence it alters other skills or global agent settings.
What to consider before installing
This skill appears to be a legitimate Supabase how‑to for the author's Hakke project, but it contains author-specific paths and an explicit OAuth login email and references server-side secrets without declaring them. Before installing or running it: 1) do not provide any credentials unless you understand which key is needed (server_role keys are highly sensitive and should only be used in secure server environments); 2) remove or adapt hard-coded local paths and the example login email to your own environment; 3) treat the SKILL.md as documentation rather than an automated routine — running the 'supabase login' and CLI commands from the agent could attempt to use or modify your local files and environment; and 4) if you plan to allow the agent to invoke this skill autonomously, restrict it from accessing secrets or running CLI commands until you have sanitized the instructions. If you want a safer integration, ask the author to provide a cleaned, generalized SKILL.md that declares required env vars explicitly and removes author-specific artifacts.Like a lobster shell, security has layers — review code before you run it.
latestvk9757vdvxpw8j9cmnhh1rd24sd823a3d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.